Oh boy, recently a lot has been talked about OpenSSL’s bug known as heartbleed. The issue was caused by the “heartbeat” mechanism not checking bounds. I won’t go too much into the details, but you can read more about it in the previous link. A short explanation is also available on xkcd.
Anyway, while I don’t believe anyone with anything better to do would be trying to break into a server with very little sensitive information, it’s always good to play safe. So I’m regenerating my SSL certificates just in case. Also, I previously used 1024-bit certificates, so I’m using this opportunity to bump my certificates to 2048-bit. First of all, create a folder that only the your server user can read (in my case, the user is “http” and the server nginx):
# mkdir /etc/nginx/ssl # chown http:http /etc/nginx/ssl # chmod 0700 /etc/nginx/ssl # cd /etc/nginx/ssl
Start by generating the key, this will ask you for a passphrase which is necessary to start nginx and to generate the csr:
# openssl genrsa -des3 -out mykey.key 2048
Now generate the CSR (certificate signing request):
# openssl req -new -key mykey.key -out mycert.csr
The passphrase you create will be necessary whenever you want to start the server. This adds security, but might prevent nginx from starting in the case of a power failure or other reboots. If you want to remove the passphrase:
# openssl rsa -in mykey.key -out mykey.key
Sign the certificate and now the certificate will be “good to go”. You can change the number of days the certificate is valid for, I’ve set 365, which seems like a reasonable number:
# openssl x509 -req -days 365 -in mycert.csr -signkey mykey.key -out mycert.crt
Now all you need is to configure your server to use the SSL certificate. In my case, I’m using it to secure an owncloud installation running on nginx:
server { listen 443 ssl spdy; (...) ssl_certificate /etc/nginx/ssl/mycert.crt; ssl_certificate_key /etc/nginx/ssl/mykey.key; (...) }
A self-signed certificate will make the browser complain the first time you visit it, but subsequent visits should work fine. Happy hosting! (;
Sources:
A similar guide for CentOS/RHEL and Apache
Akadia’s guide for self-signed certificates
A similar guide for Ubuntu 12.04 + nginx